CVE-2022-25858: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2022-25858 affects the terser package versions before 4.8.1 and from 5.0.0 to before 5.14.2. This security flaw was discovered and disclosed on May 2, 2022, and published on July 14, 2022. The vulnerability is classified as a Regular Expression Denial of Service (ReDoS) issue that stems from insecure usage of regular expressions in the package (NVD, Snyk).

The vulnerability is categorized as CWE-1333 (Inefficient Regular Expression Complexity) with varying CVSS scores: NVD rates it as HIGH with a base score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), while Snyk assesses it as MEDIUM with a score of 5.3. The vulnerability exists due to the way regular expressions are evaluated in the package, which can lead to catastrophic backtracking. A proof of concept demonstrates that processing certain regex patterns like '/A(B|C+)+D/' against specific input strings can cause exponential processing time (Snyk).

When exploited, this vulnerability can cause the system to experience significant performance degradation or interruptions in resource availability. While the attacker cannot completely deny service to legitimate users, the affected resources may become partially available or experience reduced performance. The vulnerability does not impact confidentiality or integrity of the system (Snyk).

The recommended mitigation is to upgrade the terser package to version 4.8.1 or 5.14.2 or higher, depending on which major version is being used. The vulnerability has been patched in these versions through commits that address the insecure regular expression usage (GitHub Commit, GitHub Commit).